Chapter 7 LAN
Figure 55 Any IP Example
The Any IP feature does not apply to a computer using either a dynamic IP address or a static
IP address that is in the same subnet as the ZyXEL Device’s IP address.
" You must enable NAT to use the Any IP feature on the ZyXEL Device.
Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address (IP
address) to a physical machine address, also known as a Media Access Control or MAC
address, on the local area network. IP routing table is defined on IP Ethernet devices (the
ZyXEL Device) to decide which hop to use,
destination.
The following lists out the steps taken, when a computer tries to access the Internet for the first
time through the ZyXEL Device.
1 When a computer (which is in a different subnet) first attempts to access the Internet, it
sends packets to its default gateway (which is not the ZyXEL Device) by looking at the
MAC address in its ARP table.
2 When the computer cannot locate the default gateway, an ARP request is broadcast on
the LAN.
3 The ZyXEL Device receives the ARP request and replies to the computer with its own
MAC address.
4 The computer updates the MAC address for the default gateway to the ARP table. Once
the ARP table is updated, the computer is able to access the Internet through the ZyXEL
Device.
5 When the ZyXEL Device receives packets from the computer, it creates an entry in the
IP routing table so it can properly forward packets intended for the computer.
to help forward data along to its specified
After all the routing information is updated, the computer can access the ZyXEL Device and
the Internet as if it is in the same subnet as the ZyXEL Device.
ZyXEL NBG-334SH User’s Guide
101
Chapter 7 LAN
7.3 LAN IP Screen
Use this screen to change your basic LAN settings. Click Network > LAN.
Figure 56 LAN IP
The following table describes the labels in this screen.
Table 36 LAN IP
LABEL DESCRIPTION
LAN TCP/IP
IP Address Type the IP address of your ZyXEL Device in dotted decimal notation
IP Subnet Mask The subnet mask specifies the network number portion of an IP address. Your
Apply Click Apply to save your changes back to the ZyXEL Device.
Reset Click Reset to begin configuring this screen afresh.
192.168.1.1 (factory default).
ZyXEL Device will automatically calculate the subnet mask based on the IP
address that you assign. Unless you are implementing subnetting, use the
subnet mask computed by the ZyXEL Device.
7.4 LAN IP Alias
IP alias allows you to partition a physical network into different logical networks over the
same Ethernet interface. The ZyXEL Device supports three logical LAN interfaces via its
single physical Ethernet interface with the ZyXEL Device itself as the gateway for each LAN
network.
To change your ZyXEL Device’s IP alias settings, click Network > LAN > IP Alias. The
screen appears as shown.
102
ZyXEL NBG-334SH User’s Guide
Chapter 7 LAN
Figure 57 LAN IP Alias
The following table describes the labels in this screen.
Table 37 LAN IP Alias
LABEL DESCRIPTION
IP Alias 1,2 Select the check box to configure another LAN network for the ZyXEL Device.
IP Address Enter the IP address of your ZyXEL Device in dotted decimal notation.
IP Subnet Mask Your ZyXEL Device will automatically calculate the subnet mask based on the IP
address that you assign. Unless you are implementing subnetting, use the
subnet mask computed by the ZyXEL Device.
Apply Click Apply to save your changes back to the ZyXEL Device.
Reset Click Reset to begin configuring this screen afresh.
7.5 Advanced LAN Screen
To change your ZyXEL Device’s advanced IP settings, click Network > LAN > Advanced.
The screen appears as shown.
ZyXEL NBG-334SH User’s Guide
103
Chapter 7 LAN
Figure 58 Advanced LAN
The following table describes the labels in this screen.
Table 38 Advanced LAN
LABEL DESCRIPTION
Multicast Select IGMP V-1 or IGMP V-2 or None. IGMP (Internet Group Multicast
Active Select this if you want to let computers on different subnets use the ZyXEL
Windows Networking (NetBIOS over TCP/IP): NetBIOS (Network Basic Input/Output System) are TCP
or UDP broadcast packets that enable a computer to connect to and communicate with a LAN. For
some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls. However it
may sometimes be necessary to allow NetBIOS packets to pass through to the WAN in order to find a
computer on the WAN.
Allow between LAN
and WAN
Apply Click Apply to save your changes back to the ZyXEL Device.
Reset Click Reset to begin configuring this screen afresh.
Protocol) is a network-layer protocol used to establish membership in a
Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236)
is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in
wide use. If you would like to read more detailed information about
interoperability between IGMP version 2 and version 1, please see sections 4
and 5 of RFC 2236.
Device.
Select this check box to forward NetBIOS packets from the LAN to the WAN
and from the WAN to the LAN. If your firewall is enabled with the default policy
set to block WAN to LAN traffic, you also need to enable the default WAN to
LAN firewall rule that forwards NetBIOS traffic.
Clear this check box to block all NetBIOS packets going from the LAN to the
WAN and from the WAN to the LAN.
104
ZyXEL NBG-334SH User’s Guide
CHAPTER 8
DHCP Server
8.1 DHCP
DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual
clients to obtain TCP/IP configuration at start-up from a server. You can configure the ZyXEL
Device as a DHCP server or disable it. When configured as a server, the ZyXEL Device
provides the TCP/IP configuration for the clients. If DHCP service is disabled, you must have
another DHCP server on your LAN, or else the computer must be manually configured.
8.2 DHCP Server General Screen
Click Network > DHCP Server. The following screen displays.
Figure 59 DHCP Server General
The following table describes the labels in this screen.
Table 39 DHCP Server General
LABEL DESCRIPTION
Enable DHCP Server DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132)
IP Pool Starting
Address
Pool Size This field specifies the size, or count of the IP address pool.
Apply Click Apply to save your changes back to the ZyXEL Device.
Reset Click Reset to begin configuring this screen afresh.
allows individual clients (computers) to obtain TCP/IP configuration at startup
from a server. Leave the Enable DHCP Server check box selected unless
your ISP instructs you to do otherwise. Clear it to disable the ZyXEL Device
acting as a DHCP server. When configured as a server, the ZyXEL Device
provides TCP/IP configuration for the clients. If not, DHCP service is disabled
and you must have another DHCP server on your LAN, or else the computers
must be manually configured. When set as a server, fill in the following four
fields.
This field specifies the first of the contiguous addresses in the IP address
pool.
ZyXEL NBG-334SH User’s Guide
105
Chapter 8 DHCP Server
8.3 DHCP Server Advanced Screen
This screen allows you to assign IP addresses on the LAN to specific individual computers
based on their MAC addresses. You can also use this screen to configure the DNS server
information that the ZyXEL Device sends to the DHCP clients.
Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address
is assigned at the factory and consists of six pairs of hexadecimal characters, for example,
00:A0:C5:00:00:02.
To change your ZyXEL Device’s static DHCP settings, click Network > DHCP Server >
Advanced. The following screen displays.
Figure 60 DHCP Server Advanced
106
The following table describes the labels in this screen.
Table 40 DHCP Server Advanced
LABEL DESCRIPTION
# This is the index number of the static IP table entry (row).
MAC Address Type the MAC address (with colons) of a computer on your LAN.
IP Address Type the LAN IP address of a computer on your LAN.
DNS Servers Assigned by DHCP Server
The ZyXEL Device passes a DNS (Domain Name System) server IP address (in the order you specify
here) to the DHCP clients. The ZyXEL Device only passes this information to the LAN DHCP clients
when you select the Enable DHCP Server check box. When you clear the Enable DHCP Server
check box, DHCP service is disabled and you must have another DHCP sever on your LAN, or else the
computers must have their DNS server addresses manually configured.
ZyXEL NBG-334SH User’s Guide
Chapter 8 DHCP Server
Table 40 DHCP Server Advanced
LABEL DESCRIPTION
First DNS Server
Second DNS
Server
Third DNS Server
Apply Click Apply to save your changes back to the ZyXEL Device.
Reset Click Reset to begin configuring this screen afresh.
Select From ISP if your ISP dynamically assigns DNS server information (and
the ZyXEL Device's WAN IP address). The field to the right displays the (readonly) DNS server IP address that the ISP assigns.
Select User-Defined if you have the IP address of a DNS server. Enter the DNS
server's IP address in the field to the right. If you chose User-Defined, but leave
the IP address set to 0.0.0.0, User-Defined changes to None after you click
Apply. If you set a second choice to User-Defined, and enter the same IP
address, the second User-Defined changes to None after you click Apply.
Select DNS Relay to have the ZyXEL Device act as a DNS proxy. The ZyXEL
Device's LAN IP address displays in the field to the right (read-only). The ZyXEL
Device tells the DHCP clients on the LAN that the ZyXEL Device itself is the
DNS server. When a computer on the LAN sends a DNS query to the ZyXEL
Device, the ZyXEL Device forwards the query to the ZyXEL Device's system
DNS server (configured in the WAN > Internet Connection screen) and relays
the response back to the computer. You can only select DNS Relay for one of
the three servers; if you select DNS Relay for a second or third DNS server, that
choice changes to None after you click Apply.
Select None if you do not want to configure DNS servers. If you do not configure
a DNS server, you must know the IP address of a computer in order to access it.
8.4 Client List Screen
The DHCP table shows current DHCP client information (including IP Address, Host Name
and MAC Address) of all network clients using the ZyXEL Device’s DHCP server.
Configure this screen to always assign an IP address to a MAC address (and host name). Click
Network > DHCP Server > Client List.
" You can also view a read-only client list by clicking the DHCP Table
(Details...) hyperlink in the Status screen.
The following screen displays.
Figure 61 Client List
ZyXEL NBG-334SH User’s Guide
107
Chapter 8 DHCP Server
The following table describes the labels in this screen.
Table 41 Client List
LABEL DESCRIPTION
# This is the index number of the host computer.
IP Address This field displays the IP address relative to the # field listed above.
Host Name This field displays the computer host name.
MAC Address The MAC (Media Access Control) or Ethernet address on a LAN (Local Area
Reserve Select this check box to have the ZyXEL Device always assign this IP address
Refresh Click Refresh to reload the DHCP table.
Network) is unique to your computer (six pairs of hexadecimal notation).
A network interface card such as an Ethernet adapter has a hardwired
address that is assigned at the factory. This address follows an industry
standard that ensures no other adapter has a similar address.
to this MAC address (and host name). After you click Apply, the MAC
address and IP address also display in the Advanced screen (where you can
edit them).
108
ZyXEL NBG-334SH User’s Guide
CHAPTER 9
Network Address Translation
(NAT)
This chapter discusses how to configure NAT on the ZyXEL Device.
9.1 NAT Overview
NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a
host in a packet. For example, the source address of an outgoing packet, used within one
network is changed to a different IP address known within another network.
9.2 Using NAT
" You must create a firewall rule in addition to setting up NAT, to allow traffic
from the WAN to be forwarded through the ZyXEL Device.
9.2.1 Port Forwarding: Services and Port Numbers
A port forwarding set is a list of inside (behind NAT on the LAN) servers, for example, web or
FTP, that you can make accessible to the outside world even though NAT makes your whole
inside network appear as a single machine to the outside world.
Use the Application screen to forward incoming service requests to the server(s) on your local
network. You may enter a single port number or a range of port numbers to be forwarded, and
the local IP address of the desired server. The port number identifies a service; for example,
web service is on port 80 and FTP on port 21. In some cases, such as for unknown services or
where one server can support more than one service (for example both FTP and web service),
it might be better to specify a range of port numbers.
In addition to the servers for specified services, NAT supports a default server. A service
request that does not have a server explicitly designated for it is forwarded to the default
server. If the default is not defined, the service request is simply discarded.
ZyXEL NBG-334SH User’s Guide
109
Chapter 9 Network Address Translation (NAT)
" Many residential broadband ISP accounts do not allow you to run any server
processes (such as a Web or FTP server) from your location. Your ISP may
periodically check for servers and may suspend your account if it discovers
any active services at your location. If you are unsure, refer to your ISP.
9.2.2 Configuring Servers Behind Port Forwarding Example
Let's say you want to assign ports 21-25 to one FTP, Telnet and SMTP server (A in the
example), port 80 to another (B in the example) and assign a default server IP address of
192.168.1.35 to a third (C in the example). You assign the LAN IP addresses and the ISP
assigns the WAN IP address. The NAT network appears as a single host on the Internet
Figure 62 Multiple Servers Behind NAT Example
9.3 General NAT Screen
Click Network > NAT to open the General screen.
Figure 63 NAT General
110
ZyXEL NBG-334SH User’s Guide
The following table describes the labels in this screen.
Table 42 NAT General
LABEL DESCRIPTION
Network Address
Translation
Default Server In addition to the servers for specified services, NAT supports a default server. A
Apply Click Apply to save your changes back to the ZyXEL Device.
Reset Click Reset to begin configuring this screen afresh.
Network Address Translation (NAT) allows the translation of an Internet protocol
address used within one network (for example a private IP address used in a local
network) to a different IP address known within another network (for example a
public IP address used on the Internet).
Select the check box to enable NAT.
default server receives packets from ports that are not specified in the Application
screen.
If you do not assign a Default Server IP address, the ZyXEL Device discards all
packets received for ports that are not specified in the Application screen or
remote management.
9.4 NAT Application Screen
Chapter 9 Network Address Translation (NAT)
Port forwarding allows you to define the local servers to which the incoming services will be
forwarded. To change your ZyXEL Device’s port forwarding settings, click Network > NAT
> Application. The screen appears as shown.
" If you do not assign a Default Server IP address in the NAT > General
screen, the ZyXEL Device discards all packets received for ports that are not
specified in this screen or remote management.
Refer to Appendix I on page 257 for port numbers commonly used for particular services.
ZyXEL NBG-334SH User’s Guide
111
Chapter 9 Network Address Translation (NAT)
Figure 64 NAT Application
The following table describes the labels in this screen.
Table 43 NAT Application
LABEL DESCRIPTION
Game List Update A game list includes the pre-defined service name(s) and port number(s). You can
File Path Type in the location of the file you want to upload in this field or click Browse... to
Browse... Click Browse... to find the.txt file you want to upload. Remember that you must
Update Click Update to begin the upload process. This process may take up to two
Add Application
Rule
Active Select the check box to enable this rule and the requested service can be
Service Name Type a name (of up to 31 printable characters) to identify this rule in the first field
edit and upload it to the ZyXEL Device to replace the existing entries in the second
field next to Service Name.
find it.
decompress compressed (.zip) files before you can upload them.
minutes.
forwarded to the host with a specified internal IP address.
Clear the checkbox to disallow forwarding of these ports to an inside server
without having to delete the entry.
next to Service Name. Otherwise, select a predefined service in the second field
next to Service Name. The predefined service name and port number(s) will
display in the Service Name and Port fields.
112
ZyXEL NBG-334SH User’s Guide
Chapter 9 Network Address Translation (NAT)
Table 43 NAT Application (continued)
LABEL DESCRIPTION
Port Type a port number(s) to be forwarded.
To specify a range of ports, enter a hyphen (-) between the first port and the last
port, such as 10-20.
To specify two or more non-consecutive port numbers, separate them by a comma
without spaces, such as 123,567.
Server IP Address Type the inside IP address of the server that receives packets from the port(s)
specified in the Port field.
Apply Click Apply to save your changes to the Application Rules Summary table.
Reset Click Reset to not save and return your new changes in the Service Name and
Port fields to the previous one.
Application Rules
Summary
# This is the number of an individual port forwarding server entry.
Active This icon is turned on when the rule is enabled.
Name This field displays a name to identify this rule.
Port This field displays the port number(s).
Server IP Address This field displays the inside IP address of the server.
Modify Click the Edit icon to display and modify an existing rule setting in the fields under
Add Application Rule.
Click the Remove icon to delete a rule.
9.4.1 Game List Example
Here is an example game list text file. The index number, service name and associated port(s)
are specified by semi-colons (no spaces). Use the name=xxx (where xxx is the service name)
to create a new service. Port range can be separated with a hyphen (-) (no spaces). Multiple
(non-consecutive) ports can be separated by commas.
ZyXEL NBG-334SH User’s Guide
113
Chapter 9 Network Address Translation (NAT)
Figure 65 Game List Example
version=1
1;name=Battlefield 1942;port=14567,22000,23000-23009,27900,28900
2;name=Call of Duty;port=28960
3;name=Civilization IV;port=2056
4;name=Diablo I and II;port=6112-6119,4000
5;name=Doom 3;port=27666
6;name=F.E.A.R;port=27888
7;name=Final Fantasy XI;port=25,80,110,443,50000-65535
8;name=Guild Wars;port=6112,80
9;name=Half Life;port=6003,7002,27005,27010,27011,27015
10;name=Jedi Knight III: Jedi Academy;port=28060-28062,28070-28081
11;name=Need for Speed: Hot Pursuit 2;port=1230,8511-
8512,27900,28900,61200-61230
12;name=Neverwinter Nights;port=5120-5300,6500,27900,28900
13;name=Quake 2;port=27910
14;name=Quake 3;port=27660,27960
15;name=Rainbow Six 3: Raven Shield;port=7777-7787,8777-8787
16;name=Serious Sam II;port=25600-25605
17;name=Silent Hunter III;port=17997-18003
18;name=Soldier of Fortune II;port=20100-20112
19;name=Starcraft;port=6112-6119,4000
20;name=Star Trek: Elite Force II;port=29250,29256
21;name=SWAT 4;port=10480-10483
22;name=Warcraft II and III;port=6112-6119,4000
23;name=World of Warcraft;port=3724
9.5 Trigger Port Forwarding
Some services use a dedicated range of ports on the client side and a dedicated range of ports
on the server side. With regular port forwarding you set a forwarding port in NAT to forward a
service (coming in from the server on the WAN) to the IP address of a computer on the client
side (LAN). The problem is that port forwarding only forwards a service to a single LAN IP
address. In order to use the same service on a different LAN computer, you have to manually
replace the LAN computer's IP address in the forwarding port with another LAN computer's IP
address.
Trigger port forwarding solves this problem by allowing computers on the LAN to
dynamically take turns using the service. The ZyXEL Device records the IP address of a LAN
computer that sends traffic to the WAN to request a service with a specific port number and
protocol (a "trigger" port). When the ZyXEL Device's WAN port receives a response with a
specific port number and protocol ("incoming" port), the ZyXEL Device forwards the traffic
to the LAN IP address of the computer that sent the request. After that computer’s connection
for that service closes, another computer on the LAN can use the service in the same manner.
This way you do not need to configure a new IP address each time you want a different LAN
computer to use the application.
9.5.1 Trigger Port Forwarding Example
The following is an example of trigger port forwarding.
114
ZyXEL NBG-334SH User’s Guide
Chapter 9 Network Address Translation (NAT)
Figure 66 Trigger Port Forwarding Process: Example
1 Jane requests a file from the Real Audio server (port 7070).
2 Port 7070 is a “trigger” port and causes the ZyXEL Device to record Jane’s computer IP
address. The ZyXEL Device associates Jane's computer IP address with the "incoming"
port range of 6970-7170.
3 The Real Audio server responds using a port number ranging between 6970-7170.
4 The ZyXEL Device forwards the traffic to Jane’s computer IP address.
5 Only Jane can connect to the Real Audio server until the connection is closed or times
out. The ZyXEL Device times out in three minutes with UDP (User Datagram Protocol),
or two hours with TCP/IP (Transfer Control Protocol/Internet Protocol).
9.5.2 Two Points To Remember About Trigger Ports
1 Trigger events only happen on data that is going coming from inside the ZyXEL Device
and going to the outside.
2 If an application needs a continuous data stream, that port (range) will be tied up so that
another computer on the LAN can’t trigger it.
9.6 NAT Advanced Screen
To change your ZyXEL Device’s trigger port settings, click Network > NAT > Advanced.
The screen appears as shown.
" Only one LAN computer can use a trigger port (range) at a time.
ZyXEL NBG-334SH User’s Guide
115
Chapter 9 Network Address Translation (NAT)
Figure 67 NAT Advanced
The following table describes the labels in this screen.
Table 44 NAT Advanced
LABEL DESCRIPTION
Max NAT/Firewall
Session Per User
# This is the rule index number (read-only).
Name Type a unique name (up to 15 characters) for identification purposes. All
Incoming Incoming is a port (or a range of ports) that a server on the WAN uses when it
Start Por t Type a port number or the starting port number in a range of port numbers.
Type a number ranging from 1 to 2048 to limit the number of NAT/firewall sessions
that a host can create.
When computers use peer to peer applications, such as file sharing
applications, they may use a large number of NAT sessions.
limit the number of NAT sessions a single client can establish, this can result in all
of the available NAT sessions being used. In this case, no additional NAT
sessions can be established, and users may not be able to access the Internet.
Each NAT session establishes a corresponding firewall session. Use this field to
limit the number of NAT/firewall sessions each client computer can establish
through the ZyXEL Device.
If your network has a small number of clients using peer to peer applications, you
can raise this number to ensure that their performance is not degraded by the
number of NAT sessions they can establish. If your network has a large number of
users using peer to peer applications, you can lower this number to ensure no
single client is using all of the available NAT sessions.
characters are permitted - including spaces.
sends out a particular service. The ZyXEL Device forwards the traffic with this port
(or range of ports) to the client computer on the LAN that requested the service.
If you do not
116
ZyXEL NBG-334SH User’s Guide
Chapter 9 Network Address Translation (NAT)
Table 44 NAT Advanced
LABEL DESCRIPTION
End Port Type a port number or the ending port number in a range of port numbers.
Trigger The trigger port is a port (or a range of ports) that causes (or triggers) the ZyXEL
Start Por t Type a port number or the starting port number in a range of port numbers.
End Port Type a port number or the ending port number in a range of port numbers.
Apply Click Apply to save your changes back to the ZyXEL Device.
Reset Click Reset to begin configuring this screen afresh.
Device to record the IP address of the LAN computer that sent the traffic to a
server on the WAN.
ZyXEL NBG-334SH User’s Guide
117
Chapter 9 Network Address Translation (NAT)
118
ZyXEL NBG-334SH User’s Guide
CHAPTER 10
Dynamic DNS
10.1 Dynamic DNS Introduction
Dynamic DNS allows you to update your current dynamic IP address with one or many
dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You
can also access your FTP server or Web site on your own computer using a domain name (for
instance myhost.dhs.org, where myhost is a name of your choice) that will never change
instead of using an IP address that changes each time you reconnect. Your friends or relatives
will always be able to call you even if they don't know your IP address.
First of all, you need to have registered a dynamic DNS account with www.dyndns.org. This is
for people with a dynamic IP from their ISP or DHCP server that would still like to have a
domain name. The Dynamic DNS service provider will give you a password or key.
10.1.1 DynDNS Wildcard
Enabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the
same IP address as yourhost.dyndns.org. This feature is useful if you want to be able to use,
for example, www.yourhost.dyndns.org and still reach your hostname.
" If you have a private WAN IP address, then you cannot use Dynamic DNS.
10.2 Dynamic DNS Screen
To change your ZyXEL Device’s DDNS, click Network > DDNS. The screen appears as
shown.
ZyXEL NBG-334SH User’s Guide
119
Chapter 10 Dynamic DNS
Figure 68 Dynamic DNS
The following table describes the labels in this screen.
Table 45 Dynamic DNS
LABEL DESCRIPTION
Enable Dynamic DNS Select this check box to use dynamic DNS.
Service Provider Select the name of your Dynamic DNS service provider.
Dynamic DNS Type Select the type of service that you are registered for from your Dynamic DNS
Host Name Enter a host names in the field provided. You can specify up to two host
User Name Enter your user name.
Password Enter the password assigned to you.
Enable Wildcard
Option
Enable off line option This option is available when CustomDNS is selected in the DDNS Type
IP Address Update Policy:
Use WAN IP Address Select this option to update the IP address of the host name(s) to the WAN IP
Dynamic DNS server
auto detect IP Address
Use specified IP
Address
Apply Click Apply to save your changes back to the ZyXEL Device.
Reset Click Reset to begin configuring this screen afresh.
service provider.
names in the field separated by a comma (",").
Select the check box to enable DynDNS Wildcard.
field. Check with your Dynamic DNS service provider to have traffic
redirected to a URL (that you can specify) while you are off line.
address.
Select this option to update the IP address of the host name(s) automatically
by the DDNS server. It is recommended that you select this option.
Type the IP address of the host name(s). Use this if you have a static IP
address.
120
ZyXEL NBG-334SH User’s Guide
CHAPTER 11
Firewall
This chapter gives some background information on firewalls and explains how to get started
with the ZyXEL Device’s firewall.
11.1 Introduction to ZyXEL’s Firewall
11.1.1 What is a Firewall?
Originally, the term “firewall” referred to a construction technique designed to prevent the
spread of fire from one room to another. The networking term "firewall" is a system or group
of systems that enforces an access-control policy between two networks. It may also be
defined as a mechanism used to protect a trusted network from a network that is not trusted. Of
course, firewalls cannot solve every security problem. A firewall is one of the mechanisms
used to establish a network security perimeter in support of a network security policy. It
should never be the only mechanism or method employed. For a firewall to guard effectively,
you must design and deploy it appropriately. This requires integrating the firewall into a broad
information-security policy. In addition, specific policies must be implemented within the
firewall itself.
11.1.2 Stateful Inspection Firewall
Stateful inspection firewalls restrict access by screening data packets against defined access
rules. They make access control decisions based on IP address and protocol. They also
"inspect" the session data to assure the integrity of the connection and to adapt to dynamic
protocols. These firewalls generally provide the best speed and transparency; however, they
may lack the granular application level access control or caching that some proxies support.
Firewalls, of one type or another, have become an integral part of standard security solutions
for enterprises.
11.1.3 About the ZyXEL Device Firewall
The ZyXEL Device firewall is a stateful inspection firewall and is designed to protect against
Denial of Service attacks when activated (click the General tab under Firewall and then click
the Enable Firewall check box). The ZyXEL Device's purpose is to allow a private Local
Area Network (LAN) to be securely connected to the Internet. The ZyXEL Device can be used
to prevent theft, destruction and modification of data, as well as log events, which may be
important to the security of your network.
ZyXEL NBG-334SH User’s Guide
121
Chapter 11 Firewall
The ZyXEL Device is installed between the LAN and a broadband modem connecting to the
Internet. This allows it to act as a secure gateway for all data passing between the Internet and
the LAN.
The ZyXEL Device has one Ethernet WAN port and four Ethernet LAN ports, which are used
to physically separate the network into two areas.The WAN (Wide Area Network) port
attaches to the broadband (cable or DSL) modem to the Internet.
The LAN (Local Area Network) port attaches to a network of computers, which needs security
from the outside world. These computers will have access to Internet services such as e-mail,
FTP and the World Wide Web. However, "inbound access" is not allowed (by default) unless
the remote host is authorized to use a specific service.
11.1.4 Guidelines For Enhancing Security With Your Firewall
1 Change the default password via web configurator.
2 Think about access control before you connect to the network in any way, including
attaching a modem to the port.
3 Limit who can access your router.
4 Don't enable any local service (such as SNMP or NTP) that you don't use. Any enabled
service could present a potential security risk. A determined hacker might be able to find
creative ways to misuse the enabled services to access the firewall or the network.
5 For local services that are enabled, protect against misuse. Protect by configuring the
services to communicate only with specific peers, and protect by configuring rules to
block packets for the services at specific interfaces.
6 Protect against IP spoofing by making sure the firewall is active.
7 Keep the firewall in a secured (locked) room.
11.2 Triangle Routes
If an alternate gateway on the LAN has an IP address in the same subnet as the ZyXEL
Device’s LAN IP address, return traffic may not go through the ZyXEL Device. This is called
an asymmetrical or “triangle” route. This causes the ZyXEL Device to reset the connection, as
the connection has not been acknowledged.
You can have the ZyXEL Device permit the use of asymmetrical route topology on the
network (not reset the connection).
Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without
passing through the ZyXEL Device. A better solution is to use IP alias to put the ZyXEL
Device and the backup gateway on separate subnets.
11.2.1 Triangle Routes and IP Alias
You can use IP alias instead of allowing triangle routes. IP Alias allow you to partition your
network into logical sections over the same interface.
By putting your LAN and Gateway A in different subnets, all returning network traffic must
pass through the ZyXEL Device to your LAN. The following steps describe such a scenario.
122
ZyXEL NBG-334SH User’s Guide
Chapter 11 Firewall
1 A computer on the LAN initiates a connection by sending a SYN packet to a receiving
server on the WAN.
2 The ZyXEL Device reroutes the packet to Gateway A, which is in Subnet 2.
3 The reply from the WAN goes to the ZyXEL Device.
4 The ZyXEL Device then sends it to the computer on the LAN in Subnet 1.
Figure 69 Using IP Alias to Solve the Triangle Route Problem
11.3 General Firewall Screen
Click Security > Firewall to open the General screen. Use this screen to enable or disable the
ZyXEL Device’s firewall, and set up firewall logs.
Figure 70 General
The following table describes the labels in this screen.
Table 46 Firewall General
LABEL DESCRIPTION
Enable Firewall Select this check box to activate the firewall. The ZyXEL Device performs access
Packet Direction This is the direction of travel of packets.
control and protects against Denial of Service (DoS) attacks when the firewall is
activated.
Firewall rules are grouped based on the direction of travel of packets to which they
apply.
ZyXEL NBG-334SH User’s Guide
123
Chapter 11 Firewall
Table 46 Firewall General
LABEL DESCRIPTION
Log Select whether to create a log for packets that are traveling in the selected
direction when the packets are blocked or forwarded.
To log packets related to firewall rules, make sure that Access Control under Log
is selected in the Logs > Log Settings screen.
Apply Click Apply to save the settings.
Reset Click Reset to start configuring this screen again.
11.4 Services Screen
Click Security > Firewall > Services. The screen appears as shown next.
If an outside user attempts to probe an unsupported port on your ZyXEL Device, an ICMP
response packet is automatically returned. This allows the outside user to know the ZyXEL
Device exists. Use this screen to prevent the ICMP response packet from being sent. This
keeps outsiders from discovering your ZyXEL Device when unsupported ports are probed.
You can also use this screen to enable service blocking, enter/delete/modify the services you
want to block and the date/time you want to block them.
124
ZyXEL NBG-334SH User’s Guide
Figure 71 Firewall Services
Chapter 11 Firewall
The following table describes the labels in this screen.
Table 47 Firewall Services
LABEL DESCRIPTION
ICMP Internet Control Message Protocol is a message control and error-reporting
protocol between a host server and a gateway to the Internet. ICMP uses Internet
Protocol (IP) datagrams, but the messages are processed by the TCP/IP software
and directly apparent to the application user.
Respond to Ping onThe ZyXEL Device will not respond to any incoming Ping requests when Disable
is selected. Select LAN to reply to incoming LAN Ping requests. Select WAN to
reply to incoming WAN Ping requests. Otherwise select LAN & WAN to reply to
both incoming LAN and WAN Ping requests.
ZyXEL NBG-334SH User’s Guide
125
Chapter 11 Firewall
Table 47 Firewall Services
LABEL DESCRIPTION
Do not respond to
requests for
unauthorized
services
Enable Services
Blocking
Available
Services
Blocked Services This is a list of services (ports) that will be inaccessible to computers on your LAN
Custom Port A custom port is a service that is not available in the pre-defined Available
Type Choose the IP port (TCP or UDP) that defines your customized port from the drop
Port Number Enter the port number range that defines the service. For example, if you want to
Add Select a service from the Available Services drop-down list and then click Add to
Delete Select a service from the Blocked Services list and then click Delete to remove
Clear All Click Clear All to empty the Blocked Services.
Day to Block: Select a check box to configure which days of the week (or everyday) you want
Time of Day to
Block (24-Hour
Format)
Bypass Triangle
Route
Max NAT/Firewall
Session Per User
Apply Click Apply to save the settings.
Reset Click Reset to start configuring this screen again.
Select this option to prevent hackers from finding the ZyXEL Device by probing for
unused ports. If you select this option, the ZyXEL Device will not respond to port
request(s) for unused ports, thus leaving the unused ports and the ZyXEL Device
unseen. By default this option is not selected and the ZyXEL Device will reply with
an ICMP Port Unreachable packet for a port probe on its unused UDP ports, and a
TCP Reset packet for a port probe on its unused TCP ports.
Note that the probing packets must first traverse the ZyXEL Device's firewall
mechanism before reaching this anti-probing mechanism. Therefore if the firewall
mechanism blocks a probing packet, the ZyXEL Device reacts based on the
firewall policy, which by default, is to send a TCP reset packet for a blocked TCP
packet. You can use the command "sys firewall tcprst rst [on|off]" to change this
policy. When the firewall mechanism blocks a UDP packet, it drops the packet
without sending a response packet.
Select this check box to enable this feature.
This is a list of pre-defined services (ports) you may prohibit your LAN computers
from using. Select the port you want to block using the drop-down list and click
Add to add the port to the Blocked Services field.
once you enable service blocking.
Services list and you must define using the next two fields.
down list box.
define the Gnutella service, then select TCP type and enter a port range from
6345 to 6349.
add a service to the Blocked Services
this service from the list.
service blocking to be active.
Select the time of day you want service blocking to take effect. Configure blocking
to take effect all day by selecting All Day. You can also configure specific times by
selecting From and entering the start time in the Start (hour) and Start (min)
fields and the end time in the End (hour) and End (min) fields. Enter times in 24hour format, for example, "3:00pm" should be entered as "15:00".
Select this check box to have the ZyXEL Device firewall ignore the use of triangle
route topology on the network.
Type a number ranging from 1 to 2048 to limit the number of NAT/firewall sessions
that a host can create.
126
ZyXEL NBG-334SH User’s Guide
CHAPTER 12
Content Filtering
This chapter provides a brief overview of content filtering using the embedded web GUI.
12.1 Introduction to Content Filtering
Internet content filtering allows you to create and enforce Internet access policies tailored to
your needs. Content filtering is the ability to block certain web features or specific URL
keywords.
12.2 Restrict Web Features
The ZyXEL Device can block web features such as ActiveX controls, Java applets, cookies
and disable web proxies.
12.3 Days and Times
The ZyXEL Device also allows you to define time periods and days during which the ZyXEL
Device performs content filtering.
12.4 Filter Screen
Click Security > Content Filter to open the Filter screen.
ZyXEL NBG-334SH User’s Guide
127
Chapter 12 Content Filtering
Figure 72 Content Filter: Filter
The following table describes the labels in this screen.
Table 48 Content Filter: Filter
LABEL DESCRIPTION
Trusted Computer
IP Address
Restrict Web
Features
ActiveX A tool for building dynamic and active Web pages and distributed object
Java A programming language and development environment for building
Cookies Used by Web servers to track usage and provide service based on ID.
Web Proxy A server that acts as an intermediary between a user and the Internet to provide
Enable URL
Keyword Blocking
To enable this feature, type an IP address of any one of the computers in your
network that you want to have as a trusted computer. This allows the trusted
computer to have full access to all features that are configured to be blocked by
content filtering.
Leave this field blank to have no trusted computers.
Select the box(es) to restrict a feature. When you download a page containing a
restricted feature, that part of the web page will appear blank or grayed out.
applications. When you visit an ActiveX Web site, ActiveX controls are
downloaded to your browser, where they remain in case you visit the site again.
downloadable Web components or Internet and intranet business applications of
all kinds.
security, administrative control, and caching service. When a proxy server is
located on the WAN it is possible for LAN users to circumvent content filtering by
pointing to this proxy server.
The ZyXEL Device can block Web sites with URLs that contain certain keywords
in the domain name or IP address. For example, if the keyword "bad" was
enabled, all sites containing this keyword in the domain name or IP address will
be blocked, e.g., URL http://www.website.com/bad.html would be blocked. Select
this check box to enable this feature.
128
ZyXEL NBG-334SH User’s Guide
Chapter 12 Content Filtering
Table 48 Content Filter: Filter
LABEL DESCRIPTION
Keyword Type a keyword in this field. You may use any character (up to 64 characters).
Wildcards are not allowed. You can also enter a numerical IP address.
Keyword List This list displays the keywords already added.
Add Click Add after you have typed a keyword.
Repeat this procedure to add other keywords. Up to 64 keywords are allowed.
When you try to access a web page containing a keyword, you will get a
message telling you that the content filter is blocking this request.
Delete Highlight a keyword in the lower box and click Delete to remove it. The keyword
Clear All Click this button to remove all of the listed keywords.
Message to display when a site is blocked.
Denied Access
Message
Apply Click Apply to save your changes.
Reset Click Reset to begin configuring this screen afresh
disappears from the text box after you click Apply.
Enter a message to be displayed when a user tries to access a restricted web
site. The default message is “Please contact your network administrator!!”
12.5 Schedule
Use this screen to set the day(s) and time you want the ZyXEL Device to use content filtering.
Click Security > Content Filter > Schedule. The following screen displays.
Figure 73 Content Filter: Schedule
ZyXEL NBG-334SH User’s Guide
129
Chapter 12 Content Filtering
The following table describes the labels in this screen.
Table 49 Content Filter: Schedule
LABEL DESCRIPTION
Day to Block Select check boxes for the days that you want the ZyXEL Device to perform
Time of Day to Block
(24-Hour Format)
Apply Click Apply to save your customized settings and exit this screen.
Reset Click Reset to begin configuring this screen afresh
content filtering. Select the Everyday check box to have content filtering
turned on all days of the week.
Time of Day to Block allows the administrator to define during which time
periods content filtering is enabled. Time of Day to Block restrictions only
apply to the keywords (see above). Restrict web server data, such as ActiveX,
Java, Cookies and Web Proxy are not affected.
Select All Day to have content filtering always active on the days selected in
Day to Block with time of day limitations not enforced.
Select From and enter the time period, in 24-hour format, during which
content filtering will be enforced.
12.6 Customizing Keyword Blocking URL Checking
You can use commands to set how much of a website’s URL the content filter is to check for
keyword blocking. See the appendices for information on how to access and use the command
interpreter.
12.6.1 Domain Name or IP Address URL Checking
By default, the ZyXEL Device checks the URL’s domain name or IP address when performing
keyword blocking.
This means that the ZyXEL Device checks the characters that come before the first slash in the
URL.
For example, with the URL www.zyxel.com.tw/news/pressroom.php
searches for keywords within www.zyxel.com.tw
.
12.6.2 Full Path URL Checking
Full path URL checking has the ZyXEL Device check the characters that come before the last
slash in the URL.
For example, with the URL www.zyxel.com.tw/news/pressroom.php
searches for keywords within www.zyxel.com.tw/news/
Use the ip urlfilter customize actionFlags 6 [disable | enable]
command to extend (or not extend) the keyword blocking search to include the URL's full
path.
.
, content filtering only
, full path URL checking
12.6.3 File Name URL Checking
Filename URL checking has the ZyXEL Device check all of the characters in the URL.
130
ZyXEL NBG-334SH User’s Guide
Chapter 12 Content Filtering
For example, filename URL checking searches for keywords within the URL
www.zyxel.com.tw/news/pressroom.php
Use the ip urlfilter customize actionFlags 8 [disable | enable]
command to extend (or not extend) the keyword blocking search to include the URL's
complete filename.
.
ZyXEL NBG-334SH User’s Guide
131
Chapter 12 Content Filtering
132
ZyXEL NBG-334SH User’s Guide
CHAPTER 13
Static Route Screens
This chapter shows you how to configure static routes for your ZyXEL Device.
13.1 Static Route Overview
Each remote node specifies only the network to which the gateway is directly connected, and
the ZyXEL Device has no knowledge of the networks beyond. For instance, the ZyXEL
Device knows about network N2 in the following figure through remote node router R1.
However, the ZyXEL Device is unable to route a packet to network N3 because it doesn't
know that there is a route through the same remote node router R1 (via gateway router R2).
The static routes are for you to tell the ZyXEL Device about the networks beyond the remote
nodes.
Figure 74 Example of Static Routing Topology
13.2 IP Static Route Screen
Click Management > Static Route to open the IP Static Route screen. The following screen
displays.
ZyXEL NBG-334SH User’s Guide
133
Chapter 13 Static Route Screens
Figure 75 IP Static Route
The following table describes the labels in this screen.
Table 50 IP Static Route
LABEL DESCRIPTION
# This is the index number of an individual static route. The first entry is for the
Name This is the name that describes or identifies this route.
Active This icon is turned on when this static route is active.
Destination This parameter specifies the IP network address of the final destination. Routing
Gateway This is the IP address of the gateway. The gateway is an immediate neighbor of
Modify Click the Edit icon to open the static route setup screen. Modify a static route or
default route and not editable.
Click the Edit icon under Modify and select the Active checkbox in the Static
Route Setup screen to enable the static route. Clear the checkbox to disable this
static route without having to delete the entry.
is always based on network number.
your ZyXEL Device that will forward the packet to the destination. On the LAN, the
gateway must be a router on the same segment as your ZyXEL Device; over the
WAN, the gateway must be the IP address of one of the remote nodes.
create a new static route in the Static Route Setup screen.
Click the Remove icon to delete a static route.
13.2.1 Static Route Setup Screen
To edit a static route, click the edit icon under Modify. The following screen displays. Fill in
the required information for each static route.
134
ZyXEL NBG-334SH User’s Guide
Chapter 13 Static Route Screens
Figure 76 Static Route Setup
The following table describes the labels in this screen.
Table 51 Static Route Setup
LABEL DESCRIPTION
Route Name Enter the name of the IP static route. Leave this field blank to delete this static
route.
Active This field allows you to activate/deactivate this static route.
Private This parameter determines if the ZyXEL Device will include this route to a remote
node in its RIP broadcasts.
Select this check box to keep this route private and not included in RIP
broadcasts. Clear this checkbox to propagate this route to other hosts through RIP
broadcasts.
Destination IP
Address
IP Subnet Mask Enter the IP subnet mask here.
Gateway IP
Address
Metric Metric represents the “cost” of transmission for routing purposes. IP routing uses
Apply Click Apply to save your changes back to the ZyXEL Device.
Cancel Click Cancel to return to the previous screen and not save your changes.
This parameter specifies the IP network address of the final destination. Routing is
always based on network number. If you need to specify a route to a single host,
use a subnet mask of 255.255.255.255 in the subnet mask field to force the
network number to be identical to the host ID.
Enter the IP address of the gateway. The gateway is an immediate neighbor of
your ZyXEL Device that will forward the packet to the destination. On the LAN, the
gateway must be a router on the same segment as your ZyXEL Device; over the
WAN, the gateway must be the IP address of one of the Remote Nodes.
hop count as the measurement of cost, with a minimum of 1 for directly connected
networks. Enter a number that approximates the cost for this link. The number
need not be precise, but it must be between 1 and 15. In practice, 2 or 3 is usually
a good number.
ZyXEL NBG-334SH User’s Guide
135
Chapter 13 Static Route Screens
136
ZyXEL NBG-334SH User’s Guide
CHAPTER 14
Bandwidth Management
This chapter contains information about configuring bandwidth management, editing rules and
viewing the ZyXEL Device’s bandwidth management logs.
14.1 Bandwidth Management Overview
ZyXEL’s Bandwidth Management allows you to specify bandwidth management rules based
on an application and/or subnet. You can allocate specific amounts of bandwidth capacity
(bandwidth budgets) to different bandwidth rules.
The ZyXEL Device applies bandwidth management to traffic that it forwards out through an
interface. The ZyXEL Device does not control the bandwidth of traffic that comes into an
interface.
Bandwidth management applies to all traffic flowing out of the router, regardless of the
traffic's source.
Traffic redirect or IP alias may cause LAN-to-LAN traffic to pass through the ZyXEL Device
and be managed by bandwidth management.
• The sum of the bandwidth allotments that apply to the WAN interface (LAN to WAN,
WLAN to WAN, WAN to WAN / ZyXEL Device) must be less than or equal to the
Upstream Bandwidth that you configure in the Bandwidth Management Advanced
screen.
• The sum of the bandwidth allotments that apply to the LAN port (WAN to LAN, WLAN
to LAN, LAN to LAN / ZyXEL Device) must be less than or equal to 100,000 kbps (you
cannot configure the bandwidth budget for the LAN port).
• The sum of the bandwidth allotments that apply to the WLAN port (LAN to WLAN,
WAN to WLAN, WLAN to WLAN / ZyXEL Device) must be less than or equal to 54,000
kbps (you cannot configure the bandwidth budget for the WLAN port).
14.2 Application-based Bandwidth Management
You can create bandwidth classes based on individual applications (like VoIP, Web, FTP, Email and Video for example).
14.3 Subnet-based Bandwidth Management
You can create bandwidth classes based on subnets.
ZyXEL NBG-334SH User’s Guide
137
Chapter 14 Bandwidth Management
The following figure shows LAN subnets. You could configure one bandwidth class for
subnet A and another for subnet B.
Figure 77 Subnet-based Bandwidth Management Example
14.4 Application and Subnet-based Bandwidth Management
You could also create bandwidth classes based on a combination of a subnet and an
application. The following example table shows bandwidth allocations for application specific
traffic from separate LAN subnets.
Table 52 Application and Subnet-based Bandwidth Management Example
TRAFFIC TYPE FROM SUBNET A FROM SUBNET B
VoI P 64 Kbps 64 Kbps
Web 64 Kbps 64 Kbps
FTP 64 Kbps 64 Kbps
E-mail 64 Kbps 64 Kbps
Video 64 Kbps 64 Kbps
14.5 Bandwidth Management Priorities
The following table describes the priorities that you can apply to traffic that the ZyXEL
Device forwards out through an interface.
Table 53 Bandwidth Management Priorities
PRIORITY LEVELS: TRAFFIC WITH A HIGHER PRIORITY GETS THROUGH FASTER WHILE
TRAFFIC WITH A LOWER PRIORITY IS DROPPED IF THE NETWORK IS CONGESTED.
High Typically used for voice traffic or video that is especially sensitive to jitter (jitter
is the variations in delay).
138
ZyXEL NBG-334SH User’s Guide
Chapter 14 Bandwidth Management
Table 53 Bandwidth Management Priorities
PRIORITY LEVELS: TRAFFIC WITH A HIGHER PRIORITY GETS THROUGH FASTER WHILE
TRAFFIC WITH A LOWER PRIORITY IS DROPPED IF THE NETWORK IS CONGESTED.
Mid Typically used for “excellent effort” or better than best effort and would include
important business traffic that can tolerate some delay.
Low This is typically used for non-critical “background” traffic such as bulk
transfers that are allowed but that should not affect other applications and
users.
14.6 Predefined Bandwidth Management Services
The following is a description of the services that you can select and to which you can apply
media bandwidth management using the wizard screens.
Table 54 Media Bandwidth Management Setup: Services
SERVICE DESCRIPTION
Xbox Live This is Microsoft’s online gaming service that lets you play multiplayer Xbox
VoIP (SIP) Sending voice signals over the Internet is called Voice over IP or VoIP. Session
FTP File Transfer Program enables fast transfer of files, including large files that may
E-Mail Electronic mail consists of messages sent through a computer network to specific
BitTorrent BitTorrent is a free P2P (peer-to-peer) sharing tool allowing you to distribute large
MSN Webcam MSN messenger allows you to chat online and send instant messages. If you use
WWW The World Wide Web (WWW) is an Internet system to distribute graphical, hyper-
games on the Internet via broadband technology. Xbox Live uses port 3074.
Initiated Protocol (SIP) is an internationally recognized standard for implementing
VoIP. SIP is an application-layer control (signaling) protocol that handles the
setting up, altering and tearing down of voice and multimedia sessions over the
Internet.
SIP is transported primarily over UDP but can also be transported over TCP,
using the default port number 5060.
not be possible by e-mail. FTP uses port number 21.
groups or individuals. Here are some default ports for e-mail:
POP3 - port 110
IMAP - port 143
SMTP - port 25
HTTP - port 80
software and media files using ports 6881 to 6889. BitTorrent requires you to
search for a file with a searching engine yourself. It distributes files by corporation
and trading, that is, the client downloads the file in small pieces and share the
pieces with other peers to get other half of the file.
MSN messenger and also have a webcam, you can send your image/photo in
real-time along with messages
linked information, based on Hyper Text Transfer Protocol (HTTP) - a client/server
protocol for the World Wide Web. The Web is not synonymous with the Internet;
rather, it is just one service on the Internet. Other services on the Internet include
Internet Relay Chat and Newsgroups. The Web is accessed through use of a
browser.
ZyXEL NBG-334SH User’s Guide
139
Chapter 14 Bandwidth Management
14.6.1 Services and Port Numbers
The commonly used services and port numbers are shown in the following table. Please refer
to RFC 1700 for further information about port numbers. Next to the name of the service, two
fields appear in brackets. The first field indicates the IP protocol type (TCP, UDP, or ICMP).
The second field indicates the IP port number that defines the service. (Note that there may be
more than one IP protocol type. For example, look at the DNS service.
UDP port 53 and TCP port 53.
Table 55 Commonly Used Services
SERVICE DESCRIPTION
AIM/New-ICQ(TCP:5190) AOL’s Internet Messenger service, used as a listening port by ICQ.
AUTH(TCP:113) Authentication protocol used by some servers.
BGP(TCP:179) Border Gateway Protocol.
BOOTP_CLIENT(UDP:68) DHCP Client.
BOOTP_SERVER(UDP:67) DHCP Server.
CU-SEEME(TCP/UDP:7648,
24032)
DNS(UDP/TCP:53) Domain Name Server, a service that matches web names (e.g.
FINGER(TCP:79) Finger is a UNIX or Internet related command that can be used to
FTP(TCP:20.21) File Transfer Program, a program to enable fast transfer of files,
H.323(TCP:1720) NetMeeting uses this protocol.
HTTP(TCP:80) Hyper Text Transfer Protocol - a client/server protocol for the world
HTTPS(TCP:443) HTTPS is a secured http session often used in e-commerce.
ICQ(UDP:4000) This is a popular Internet chat program.
IKE(UDP:500) The Internet Key Exchange algorithm is used for key distribution and
IPSEC_TUNNEL(AH:0) The IPSEC AH (Authentication Header) tunneling protocol uses this
IPSEC_TUNNEL(ESP:0) The IPSEC ESP (Encapsulation Security Protocol) tunneling protocol
IRC(TCP/UDP:6667) This is another popular Internet chat program.
MSN Messenger(TCP:1863) Microsoft Networks’ messenger service uses this protocol.
MULTICAST(IGMP:0) Internet Group Multicast Protocol is used when sending packets to a
NEW-ICQ(TCP:5190) An Internet chat program.
NEWS(TCP:144) A protocol for news groups.
NFS(UDP:2049) Network File System - NFS is a client/server distributed file service
NNTP(TCP:119) Network News Transport Protocol is the delivery mechanism for the
A popular videoconferencing solution from White Pines Software.
www.zyxel.com
find out if a user is logged on.
including large files that may not be possible by e-mail.
wide web.
management.
service.
uses this service.
specific group of hosts.
that provides transparent file sharing for network environments.
USENET newsgroup service.
(UDP/TCP:53) means
) to IP numbers.
140
ZyXEL NBG-334SH User’s Guide
Chapter 14 Bandwidth Management
Table 55 Commonly Used Services
SERVICE DESCRIPTION
PING(ICMP:0) Packet INternet Groper is a protocol that sends out ICMP echo
POP3(TCP:110) Post Office Protocol version 3 lets a client computer get e-mail from a
PPTP(TCP:1723) Point-to-Point Tunneling Protocol enables secure transfer of data
PPTP_TUNNEL(GRE:0) Point-to-Point Tunneling Protocol enables secure transfer of data
RCMD(TCP:512) Remote Command Service.
REAL_AUDIO(TCP:7070) A streaming audio service that enables real time sound over the web.
REXEC(TCP:514) Remote Execution Daemon.
RLOGIN(TCP:513) Remote Login.
RTELNET(TCP:107) Remote Telnet.
RTSP(TCP/UDP:554) The Real Time Streaming (media control) Protocol (RTSP) is a
SFTP(TCP:115) Simple File Transfer Protocol.
SMTP(TCP:25) Simple Mail Transfer Protocol is the message-exchange standard for
SNMP(TCP/UDP:161) Simple Network Management Program.
SNMP-TRAPS(TCP/UDP:162) Traps for use with the SNMP (RFC:1215).
SQL-NET(TCP:1521) Structured Query Language is an interface to access data on many
SSH(TCP/UDP:22) Secure Shell Remote Login Program.
STRM WORKS(UDP:1558) Stream Works Protocol.
SYSLOG(UDP:514) Syslog allows you to send system logs to a UNIX server.
TACACS(UDP:49) Login Host Protocol used for (Terminal Access Controller Access
TELNET(TCP:23) Telnet is the login and terminal emulation protocol common on the
TFTP(UDP:69) Trivial File Transfer Protocol is an Internet file transfer protocol
VDOLIVE(TCP:7000) Another videoconferencing solution.
requests to test whether or not a remote host is reachable.
POP3 server through a temporary connection (TCP/IP or other).
over public networks. This is the control channel.
over public networks. This is the data channel.
remote control for multimedia on the Internet.
the Internet. SMTP enables you to move messages from one e-mail
server to another.
different types of database systems, including mainframes, midrange
systems, UNIX systems and network servers.
Control System).
Internet and in UNIX environments. It operates over TCP/IP
networks. Its primary function is to allow users to log into remote host
systems.
similar to FTP, but uses the UDP (User Datagram Protocol) rather
than TCP (Transmission Control Protocol).
ZyXEL NBG-334SH User’s Guide
141
Chapter 14 Bandwidth Management
14.7 Default Bandwidth Management Classes and Priorities
If you enable bandwidth management but do not configure a rule for critical traffic like VoIP,
the voice traffic may then get delayed due to insufficient bandwidth. With the automatic traffic
classifier feature activated, the ZyXEL Device automatically assigns a default bandwidth
management class and priority to traffic that does not match any of the user-defined rules. The
traffic is classified based on the traffic type. Real-time traffic always gets higher priority over
other traffic.
The following table shows you the priorities between the three default classes (AutoClass_H,
AutoClass_M and Default Class) and user-defined rules. 6 is the highest priority.
Table 56 Bandwidth Management Priority with Default Classes
CLASS TYPE PRIORITY
User-defined with high priority 6
AutoClass_H 5
User-defined with medium priority 4
AutoClass_M 3
User-defined with low priority 2
Default Class 1
14.8 Bandwidth Management General Configuration
Click Management > Bandwidth MGMT to open the bandwidth management General
screen.
Figure 78 Bandwidth Management: General
142
ZyXEL NBG-334SH User’s Guide
Chapter 14 Bandwidth Management
The following table describes the labels in this screen.
Table 57 Bandwidth Management: General
LABEL DESCRIPTION
Enable Bandwidth
Management
Enable Automatic
Traffic Classifier
Apply Click Apply to save your customized settings.
Reset Click Reset to begin configuring this screen afresh.
Select this check box to have the ZyXEL Device apply bandwidth management.
Enable bandwidth management to give traffic that matches a bandwidth rule
priority over traffic that does not match a bandwidth rule.
Enabling bandwidth management also allows you to control the maximum or
minimum amounts of bandwidth that can be used by traffic that matches a
bandwidth rule.
This field is only applicable when you select the Enable Bandwidth
Management check box.
Select this check box to have the ZyXEL Device base on the default bandwidth
classes to apply bandwidth management. Real-time packets, such as VoIP
traffic always get higher priority.
14.9 Bandwidth Management Advanced Configuration
Click Management > Bandwidth MGMT > Advanced to open the bandwidth management
Advanced screen.
Figure 79 Bandwidth Management: Advanced
ZyXEL NBG-334SH User’s Guide
143
Chapter 14 Bandwidth Management
The following table describes the labels in this screen.
Table 58 Bandwidth Management: Advanced
LABEL DESCRIPTION
Upstream
Bandwidth (kbps)
Application List Use this table to allocate specific amounts of bandwidth based on the pre-defined
# This is the number of an individual bandwidth management rule.
Enable Select this check box to have the ZyXEL Device apply this bandwidth
Service This is the name of the service.
Priority Select a priority from the drop down list box. Choose High, Mid or Low.
Advanced Setting Click the Edit icon to open the Rule Configuration screen where you can modify
User-defined
Service
# This is the number of an individual bandwidth management rule.
Enable Select this check box to have the ZyXEL Device apply this bandwidth
Direction Select To L A N to apply bandwidth management to traffic that the ZyXEL Device
Service Name Enter a descriptive name of up to 19 alphanumeric characters, including spaces.
Priority Select a priority from the drop down list box. Choose High, Mid or Low.
Modify Click the Edit icon to open the Rule Configuration screen. Modify an existing rule
Apply Click Apply to save your customized settings.
Reset Click Reset to begin configuring this screen afresh.
Enter the amount of bandwidth in kbps (2 to 100,000) that you want to allocate for
traffic. 20 kbps to 20,000 kbps is recommended.
The recommendation is to set this speed to be equal to or less than the speed of
the broadband device connected to the WAN port. For example, set the speed to
1000 Kbps (or less) if the broadband device connected to the WAN port has an
upstream speed of 1000 Kbps.
service.
management rule.
the rule.
Use this table to allocate specific amounts of bandwidth to specific applications
and/or subnets.
management rule.
forwards to the LAN.
Select To WAN to apply bandwidth management to traffic that the ZyXEL Device
forwards to the WAN.
Select To WLAN to apply bandwidth management to traffic that the ZyXEL Device
forwards to the WLAN.
or create a new rule in the Rule Configuration screen. See Section 14.9.2 on
page 145 for more information.
Click the Remove icon to delete a rule.
14.9.1 Rule Configuration with the Pre-defined Service
To edit a bandwidth management rule for the pre-defined service in the ZyXEL Device, click
the Edit icon in the Application List table of the Advanced screen. The following screen
displays.
144
ZyXEL NBG-334SH User’s Guide
Chapter 14 Bandwidth Management
Figure 80 Bandwidth Management Rule Configuration: Pre-defined Service
The following table describes the labels in this screen.
Table 59 Bandwidth Management Rule Configuration: Pre-defined Service
LABEL DESCRIPTION
# This is the number of an individual bandwidth management rule.
Enable Select an interface’s check box to enable bandwidth management on that
interface.
Direction These read-only labels represent the physical interfaces. Bandwidth
Bandwidth Select Maximum Bandwidth or Minimum Bandwidth and specify the maximum
Destination Port This is the port number of the destination. See Table 55 on page 140 for some
Source Port This is the port number of the source. See Table 55 on page 140 for some
Protocol This is the protocol (TCP or UDP) used for the service.
OK Click OK to save your customized settings.
Cancel Click Cancel to exit this screen without saving.
management applies to all traffic flowing out of the router through the interface,
regardless of the traffic’s source.
Traffic redirect or IP alias may cause LAN-to-LAN traffic to pass through the
ZyXEL Device and be managed by bandwidth management.
or minimum bandwidth allowed for the rule in kilobits per second.
common services and port numbers.
common services and port numbers.
14.9.2 Rule Configuration with the User-defined Service
In addition to the pre-defined services, if you want to edit a bandwidth management rule for
other applications and/or subnets, click the Edit icon in the User-defined Service table of the
Advanced screen. The following screen displays.
ZyXEL NBG-334SH User’s Guide
145
Chapter 14 Bandwidth Management
Figure 81 Bandwidth Management Rule Configuration: User-defined Service
The following table describes the labels in this screen.
Table 60 Bandwidth Management Rule Configuration: User-defined Service
LABEL DESCRIPTION
BW Budget Select Maximum Bandwidth or Minimum Bandwidth and specify the maximum
or minimum bandwidth allowed for the rule in kilobits per second.
Destination
Address
Destination
Subnet Netmask
Destination Port Enter the port number of the destination. See Table 55 on page 140 for some
Source Address Enter the source IP address in dotted decimal notation.
Source Subnet
Netmask
Source Port Enter the port number of the source. See Table 55 on page 140 for some common
Protocol Select the protocol (TCP or UDP) or select User defined and enter the protocol
OK Click OK to save your customized settings.
Cancel Click Cancel to exit this screen without saving.
Enter the destination IP address in dotted decimal notation.
Enter the destination subnet mask. This field is N/A if you do not specify a
Destination Address. Refer to the appendices for more information on IP
subnetting.
common services and port numbers.
Enter the destination subnet mask. This field is N/A if you do not specify a Source
Address. Refer to the appendices for more information on IP subnetting.
services and port numbers.
(service type) number.
14.10 Bandwidth Management Monitor
Click Management > Bandwidth MGMT > Monitor to open the bandwidth management
Monitor screen. View the bandwidth usage of the WAN configured bandwidth rules. This is
also shown as bandwidth usage over the bandwidth budget for each rule. The gray section of
the bar represents the percentage of unused bandwidth and the blue color represents the
percentage of bandwidth in use.
146
ZyXEL NBG-334SH User’s Guide
Figure 82 Bandwidth Management: Monitor
Chapter 14 Bandwidth Management
ZyXEL NBG-334SH User’s Guide
147
Chapter 14 Bandwidth Management
148
ZyXEL NBG-334SH User’s Guide
CHAPTER 15
Remote Management Screens
This chapter provides information on the Remote Management screens.
15.1 Remote Management Overview
Remote management allows you to determine which services/protocols can access which
ZyXEL Device interface (if any) from which computers.
" When you configure remote management to allow management from the
WAN, you still need to configure a firewall rule to allow access. See the firewall
chapters for details on configuring firewall rules.
You may manage your ZyXEL Device from a remote location via:
Table 61
• Internet (WAN only) • ALL (LAN and WAN)
• LAN only • Neither (Disable).
" When you choose WAN or LAN & WAN, you still need to configure a firewall
rule to allow access.
To disable remote management of a service, select Disable in the corresponding Server
Access field.
You may only have one remote management session running at a time. The ZyXEL Device
automatically disconnects a remote management session of lower priority when another
remote management session of higher priority starts. The priorities for the different types of
remote management sessions are as follows.
1 Telnet
2 HTTP
ZyXEL NBG-334SH User’s Guide
149
Chapter 15 Remote Management Screens
15.1.1 Remote Management Limitations
Remote management over LAN or WAN will not work when:
1 You have disabled that service in one of the remote management screens.
2 The IP address in the Secured Client IP Address field does not match the client IP
address. If it does not match, the ZyXEL Device will disconnect the session
immediately.
3 There is already another remote management session with an equal or higher priority
running. You may only have one remote management session running at one time.
4 There is a firewall rule that blocks it.
15.1.2 Remote Management and NAT
When NAT is enabled:
• Use the ZyXEL Device’s WAN IP address when configuring from the WAN.
• Use the ZyXEL Device’s LAN IP address when configuring from the LAN.
15.1.3 System Timeout
There is a default system management idle timeout of five minutes (three hundred seconds).
The ZyXEL Device automatically logs you out if the management session remains idle for
longer than this timeout period. The management session does not time out when a statistics
screen is polling. You can change the timeout period in the System screen
15.2 WWW Screen
To change your ZyXEL Device’s World Wide Web settings, click Management > Remote
MGMT to display the WWW screen.
Figure 83 WWW Remote Management
150
ZyXEL NBG-334SH User’s Guide
The following table describes the labels in this screen.
Table 62 WWW Remote Management
LABEL DESCRIPTION
Server Port You may change the server port number for a service if needed, however you must
Server Access Select the interface(s) through which a computer may access the ZyXEL Device
Secured Client IP
Address
Apply Click Apply to save your customized settings and exit this screen.
Reset Click Reset to begin configuring this screen afresh.
15.3 Telnet
You can configure your ZyXEL Device for remote Telnet access as shown next. The
administrator uses Telnet from a computer on a remote network to access the ZyXEL Device.
Chapter 15 Remote Management Screens
use the same port number in order to use that service for remote management.
using this service.
A secured client is a “trusted” computer that is allowed to communicate with the
ZyXEL Device using this service.
Select All to allow any computer to access the ZyXEL Device using this service.
Choose Selected to just allow the computer with the IP address that you specify to
access the ZyXEL Device using this service.
Figure 84 Telnet Configuration on a TCP/IP Network
15.4 Telnet Screen
To change your ZyXEL Device’s Telnet settings, click Management > Remote MGMT >
Tel ne t. The following screen displays.
ZyXEL NBG-334SH User’s Guide
151
Chapter 15 Remote Management Screens
Figure 85 Telnet Remote Management
The following table describes the labels in this screen.
Table 63 Telnet Remote Management
LABEL DESCRIPTION
Server Port You may change the server port number for a service if needed, however you must
Server Access Select the interface(s) through which a computer may access the ZyXEL Device
Secured Client
IP Address
Apply Click Apply to save your customized settings and exit this screen.
Reset Click Reset to begin configuring this screen afresh.
use the same port number in order to use that service for remote management.
using this service.
A secured client is a “trusted” computer that is allowed to communicate with the
ZyXEL Device using this service.
Select All to allow any computer to access the ZyXEL Device using this service.
Choose Selected to just allow the computer with the IP address that you specify to
access the ZyXEL Device using this service.
15.5 FTP Screen
You can upload and download the ZyXEL Device’s firmware and configuration files using
FTP, please see the chapter on firmware and configuration file maintenance for details. To use
this feature, your computer must have an FTP client.
To change your ZyXEL Device’s FTP settings, click Management > Remote MGMT >
FTP. The screen appears as shown.
Figure 86 FTP Remote Management
152
ZyXEL NBG-334SH User’s Guide
The following table describes the labels in this screen.
Table 64 FTP Remote Management
LABEL DESCRIPTION
Server Port You may change the server port number for a service if needed, however you must
Server Access Select the interface(s) through which a computer may access the ZyXEL Device
Secured Client IP
Address
Apply Click Apply to save your customized settings and exit this screen.
Reset Click Reset to begin configuring this screen afresh.
use the same port number in order to use that service for remote management.
using this service.
A secured client is a “trusted” computer that is allowed to communicate with the
ZyXEL Device using this service.
Select All to allow any computer to access the ZyXEL Device using this service.
Choose Selected to just allow the computer with the IP address that you specify to
access the ZyXEL Device using this service.
15.6 DNS Screen
Use DNS (Domain Name System) to map a domain name to its corresponding IP address and
vice versa. Refer to the chapter on Wizard Setup for background information.
Chapter 15 Remote Management Screens
To change your ZyXEL Device’s DNS settings, click Management > Remote MGMT >
DNS. The screen appears as shown.
Figure 87 DNS Remote Management
ZyXEL NBG-334SH User’s Guide
153
Chapter 15 Remote Management Screens
The following table describes the labels in this screen.
Table 65 DNS Remote Management
LABEL DESCRIPTION
Server Port The DNS service port number is 53 and cannot be changed here.
Server Access Select the interface(s) through which a computer may send DNS queries to the
ZyXEL Device.
Secured Client IP
Address
Apply Click Apply to save your customized settings and exit this screen.
Reset Click Reset to begin configuring this screen afresh.
A secured client is a “trusted” computer that is allowed to send DNS queries to the
ZyXEL Device.
Select All to allow any computer to send DNS queries to the ZyXEL Device.
Choose Selected to just allow the computer with the IP address that you specify to
send DNS queries to the ZyXEL Device.
154
ZyXEL NBG-334SH User’s Guide
CHAPTER 16
Universal Plug-and-Play (UPnP)
This chapter introduces the UPnP feature in the web configurator.
16.1 Introducing Universal Plug and Play
Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP
for simple peer-to-peer network connectivity between devices. A UPnP device can
dynamically join a network, obtain an IP address, convey its capabilities and learn about other
devices on the network. In turn, a device can leave a network smoothly and automatically
when it is no longer in use.
See Section 16.3 on page 156 for configuration instructions.
16.1.1 How do I know if I'm using UPnP?
UPnP hardware is identified as an icon in the Network Connections folder (Windows XP).
Each UPnP compatible device installed on your network will appear as a separate icon.
Selecting the icon of a UPnP device will allow you to access the information and properties of
that device.
16.1.2 NAT Traversal
UPnP NAT traversal automates the process of allowing an application to operate through
NAT. UPnP network devices can automatically configure network addressing, announce their
presence in the network to other UPnP devices and enable exchange of simple product and
service descriptions. NAT traversal allows the following:
• Dynamic port mapping
• Learning public IP addresses
• Assigning lease times to mappings
Windows Messenger is an example of an application that supports NAT traversal and UPnP.
See the NAT chapter for more information on NAT.
16.1.3 Cautions with UPnP
The automated nature of NAT traversal applications in establishing their own services and
opening firewall ports may present network security issues. Network information and
configuration may also be obtained and modified by users in some network environments.
ZyXEL NBG-334SH User’s Guide
155
Chapter 16 Universal Plug-and-Play (UPnP)
When a UPnP device joins a network, it announces its presence with a multicast message. For
security reasons, the ZyXEL Device allows multicast messages on the LAN only.
All UPnP-enabled devices may communicate freely with each other without additional
configuration. Disable UPnP if this is not your intention.
16.2 UPnP and ZyXEL
ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum UPnP™
Implementers Corp. (UIC). ZyXEL's UPnP implementation supports Internet Gateway Device
(IGD) 1.0.
See the following sections for examples of installing and using UPnP.
16.3 UPnP Screen
Click the Management > UPnP to display the UPnP screen.
Figure 88 Configuring UPnP
156
The following table describes the labels in this screen.
Table 66 Configuring UPnP
LABEL DESCRIPTION
Active the Universal Plug
and Play (UPnP) Feature
Allow users to make
configuration changes
through UPnP
Allow UPnP to pass through
Firewall
Select this check box to activate UPnP. Be aware that anyone could
use a UPnP application to open the web configurator's login screen
without entering the ZyXEL Device's IP address (although you must still
enter the password to access the web configurator).
Select this check box to allow UPnP-enabled applications to
automatically configure the ZyXEL Device so that they can
communicate through the ZyXEL Device, for example by using NAT
traversal, UPnP applications automatically reserve a NAT forwarding
port in order to communicate with another UPnP enabled device; this
eliminates the need to manually configure port forwarding for the UPnP
enabled application.
Select this check box to allow traffic from UPnP-enabled applications to
bypass the firewall.
Clear this check box to have the firewall block all UPnP application
packets (for example, MSN packets).
ZyXEL NBG-334SH User’s Guide
Chapter 16 Universal Plug-and-Play (UPnP)
Table 66 Configuring UPnP
LABEL DESCRIPTION
Apply Click Apply to save the setting to the ZyXEL Device.
Cancel Click Cancel to return to the previously saved settings.
16.4 Installing UPnP in Windows Example
This section shows how to install UPnP in Windows Me and Windows XP.
16.4.0.1 Installing UPnP in Windows Me
Follow the steps below to install the UPnP in Windows Me.
1 Click Start and Control Panel. Double-click Add/Remove Programs.
2 Click on the Windows Setup tab and select Communication in the Components
selection box. Click Details.
Figure 89 Add/Remove Programs: Windows Setup: Communication
3 In the Communications window, select the Universal Plug and Play check box in the
Components selection box.
ZyXEL NBG-334SH User’s Guide
157
Chapter 16 Universal Plug-and-Play (UPnP)
Figure 90 Add/Remove Programs: Windows Setup: Communication: Components
4 Click OK to go back to the Add/Remove Programs Properties window and click
Next.
5 Restart the computer when prompted.
Installing UPnP in Windows XP
Follow the steps below to install the UPnP in Windows XP.
1 Click Start and Control Panel.
2 Double-click Network Connections.
3 In the Network Connections window, click Advanced in the main menu and select
Optional Networking Components ….
Figure 91 Network Connections
158
4 The Windows Optional Networking Components Wizard window displays. Select
Networking Service in the Components selection box and click Details.
ZyXEL NBG-334SH User’s Guide
Chapter 16 Universal Plug-and-Play (UPnP)
Figure 92 Windows Optional Networking Components Wizard
5 In the Networking Services window, select the Universal Plug and Play check box.
Figure 93 Networking Services
6 Click OK to go back to the Windows Optional Networking Component Wizard
window and click Next.
ZyXEL NBG-334SH User’s Guide
159
Chapter 16 Universal Plug-and-Play (UPnP)
16.4.0.2 Using UPnP in Windows XP Example
This section shows you how to use the UPnP feature in Windows XP. You must already have
UPnP installed in Windows XP and UPnP activated on the ZyXEL Device.
Make sure the computer is connected to a LAN port of the ZyXEL Device. Turn on your
computer and the ZyXEL Device.
Auto-discover Your UPnP-enabled Network Device
1 Click Start and Control Panel. Double-click Network Connections. An icon displays
under Internet Gateway.
2 Right-click the icon and select Properties.
Figure 94 Network Connections
160
3 In the Internet Connection Properties window, click Settings to see the port mappings
there were automatically created.
ZyXEL NBG-334SH User’s Guide
Loading...